In the ever-evolving landscape of cybersecurity, one of the most insidious types of attacks that organizations face today is the adversary-in-the-middle (AiTM) attack. These attacks involve a phished user interacting with an impersonated site created by the attacker, allowing the attacker to intercept credentials and session cookies and bypass multifactor authentication (MFA).
Microsoft has been at the forefront of combating these threats, leveraging artificial intelligence to help security teams scale more effectively. Microsoft 365 Defender correlates millions of signals across endpoints, identities, emails, collaboration tools, and SaaS apps to identify active attacks and compromised assets in an organization’s environment.
Automatic Attack Disruption
Last year, Microsoft introduced automatic attack disruption, which uses these correlated insights and powerful AI models to stop some of the most sophisticated attack techniques while in progress to limit lateral movement and damage. The expansion of automatic attack disruption now includes AiTM attacks, in addition to the previously announced public preview for business email compromise (BEC) and human-operated ransomware attacks.
Automatic attack disruption does not require any pre-configuration by the SOC team. Instead, it’s built in as a capability in Microsoft’s XDR. The process of AiTM attack disruption involves:
- High-confidence identification of an AiTM attack based on multiple, correlated Microsoft 365 Defender signals.
- An automatic response is triggered that disables the compromised user account in Active Directory and Azure Active Directory.
- The stolen session cookie will be automatically revoked, preventing the attacker from using it for additional malicious activity.
SOC teams can configure automatic attack disruption and easily revert any action from the Microsoft 365 Defender portal.
A Closer Look at AiTM Attacks
A recent large-scale phishing campaign used AiTM phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process even if the user had enabled MFA. The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. The AiTM phishing campaign attempted to target more than 10,000 organizations since September 2021.
Microsoft 365 Defender detects suspicious activities related to AiTM phishing attacks and their follow-on activities, such as session cookie theft and attempts to use the stolen cookie to sign into Exchange Online. However, to further protect themselves from similar attacks, organizations should also consider complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others.
Getting Started with AiTM
To get started with AiTM, organizations need to understand the nature of these attacks and how they can be prevented. Here are some steps to get started:
Understand the Threat: AiTM attacks involve an attacker intercepting a user’s interaction with a legitimate site, stealing their credentials and session cookies, and bypassing MFA. Awareness of this threat is the first step towards prevention.
Implement MFA and Conditional Access Policies: While AiTM attacks can bypass MFA, it’s still a crucial security measure. Complement MFA with conditional access policies that evaluate sign-in requests using additional identity-driven signals.
Leverage Microsoft 365 Defender: Microsoft 365 Defender can detect suspicious activities related to AiTM attacks and trigger automatic responses to disrupt these attacks. It’s a powerful tool in the fight against AiTM attacks.
Monitor for Suspicious Activities: Continuously monitor for suspicious or anomalous activities, such as sign-in attempts with suspicious characteristics or unusual mailbox activities.
Train Your Staff: Educate your staff about AiTM attacks and how to recognize phishing attempts. Regular training can help prevent successful attacks.
Conclusion
As the threat landscape evolves, organizations need to assume breach and understand their network and threat data to gain complete visibility and insight into complex end-to-end attack chains. Microsoft 365 Defender, with its automatic attack disruption capability, provides a robust defense against AiTM attacks, helping organizations to stay one step ahead of the attackers.
In the face of evolving cybersecurity threats, it’s crucial for organizations to stay ahead. Adversary-in-the-middle (AiTM) attacks pose a significant risk, but with the right tools and strategies, you can protect your organization effectively.
Microsoft 365 Defender offers robust capabilities to detect and disrupt AiTM attacks, providing a critical line of defense for your organization. But technology alone is not enough. It’s equally important to educate your staff about these threats and how to recognize and respond to them.
At Levacloud LLC, we understand the complexities of these challenges and are here to help. We offer Free Proof of Concept and Pilot offerings for Microsoft 365 Defender, providing you with the opportunity to see firsthand how these solutions can enhance your organization’s security.
Don’t wait for a breach to happen. Take action now to secure your organization against AiTM attacks. Start by understanding the threat, implementing MFA and conditional access policies, leveraging Microsoft 365 Defender, monitoring for suspicious activities, and training your staff.
To learn more about our Free Proof of Concept and Pilot offerings for Microsoft 365 Defender, request your free consultation today. Our team of experts is ready to guide you through the process and answer any questions you may have.
Take the first step towards enhancing your organization’s security today. Your proactive action can make all the difference in protecting your organization from AiTM attacks and other cybersecurity threats. Contact Levacloud LLC today to get started.
References
Microsoft Tech Community. (2023). Automatically disrupt adversary-in-the-middle (AiTM) attacks with Microsoft 365 Defender. Retrieved from https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/automatically-disrupt-adversary-in-the-middle-aitm-attacks-with/ba-p/3821751
Microsoft Learn. (n.d.). Configure automatic attack disruption in Microsoft 365 Defender. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/defender/configure-attack-disruption?view=o365-worldwide
Microsoft Security Blog. (2022). From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud. Retrieved from https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/